HackerOne Reviews 16

This is related to my report where I discovered bugs on ne**.tech that were rejected. This HackerOne program may be manipulating reports for its own benefit. It may not be transparent, as there are indications that findings are rejected with the claim that they were previously reported. Strangely, those bugs have not been fixed for a long time. This likely suggests that their claim is not truthful. It would be best to avoid it.

I’m starting to think the entire platform might be a scam. It feels like either some HackerOne analysts could be taking the reports and using them for their own benefit, or the companies themselves are marking everything as Duplicate or Informative so they can quietly fix the vulnerabilities without paying any rewards.

10 reports in a row were just closed as Informative or Duplicate. This is a way worse rate than any fu**ing gambling website, where the chances are actually higher — at least there it’s 50/50. But on this platform, you can’t even have a fu**ing bot or an analyst directly check the report to confirm if it’s a duplicate, or publish the other reports if they are marked as Informative, or give any other real justification instead of every other excuse. Stay Away from HackerOne #Scam

I swear to God I’m not complaining, just telling the truth. About 15 minutes ago, I got a comment on my report, which I submitted on Dec 27, 2025. My mistake was forgetting to fill in the attack type and ratings, even though I wrote the report really well. The triager said, “seph0riane closed the report and changed the status to Informative. 14 hours ago: It could be potentially a scam page. We’re not hosting anything on this IP range. I close the issue.” And guess what? They fixed the bug but told me it’s a scam. Yeah, I see that, but they didn’t even have the decency to speak politely—just said whatever they felt. What kind of amateur triager does this? i don't know if i can show y'all the proof but Hackenproof.com is always the best. here is my report `reports/3479656`

Its a total scam, the rejected my 8.7 high for a duplicate informative of 6 years ago - fact: the technology the bug is referring too didn't even exists 6 year ago. H1 triage is really bad. Company's own triage is better, but avoid programs H1 is doing the triage.

Some of the reasons you should not waste your time on hackerone
1.Found bug was told "The bounty payment will be processed and remitted within the next few weeks.", then ghosted (no bounty) and been over a year with no response to messages.
2.Found bug on a bug bounty they waited over a month and told me it was duplicated, wouldn't respond to me asking information about it for example when it was found.
3. Decreasing reputation after finding informative bug, they told me it wouldn't effect my reputation but decrease it anyway.

Hsjhdje
Hack

Roblox
Please

I reported a valid critical vulnerability that the end-client has accepted awarded a bounty, hackerone refuses to verify my ID (last time it rejects it manually after it has been approved by the 3rd party responsible for the verification process), just to avoid processing the payout and to keep the money for themselves.

Complete waste of time, they are unprofessional, and there is no way you can escalate or contact someone in the company.

I'm super mixed on Hacker1 to be honest. On the one hand it's a super important service and a great product, on the other hand however I think it's one of the main reasons why I didn't continue my career in penetration testing.

I've had cases where serious vulnerabilites that have been triaged on other platforms and paid bounties are just closed by their analysts without any apparent way for me to appeal their decisions. Other cases they completely misunderstood what I was doing, it feels like they had no idea how the browser worked. I've also had a case that's still pending for the company to review for HALF A YEAR! They refuse to answer, ask the same questions and they are just stalling while there are serious vulnerabilities in their client's systems for months.

Because of this, I recommend you use an other service instead of H1.

Very good, thank you very much for the 250$

Unfortunately they'll find any excuse they can to not pay out and remember that any vulnerabilities you disclose to them you can't publicly disclose!

A good example is that I found a vulnerability in one product that allowed me to create a denial of service scenario (this product was from an AV vendor) and the UI would say that every file scanned was clean. It would have no integrity meaning it couldn't stop malware or scan for malware.

The vulnerability was seen as "not a practical scenario" since it required System privileges (even though anything running as Admin can very easily escalate to System even legitimately via a Windows Service) and therefore didn't warrant a payout.

Stay away from this company - they are not on your side.

its a god ap
don't consider this a review my brother typed this

New to Bug Bounty. HackerOne platform looks quite mature, the Bug Reports a great source of information and learning. Overall looks great!.

great site! Excelent